Security researchers have identified a malware targeting the widely-used Modbus industrial communication protocol was responsible for more than 600 apartment buildings in Ukraine losing heat for two days in January.
The malware, dubbed as FrostyGoop, is a first of kind malware that uses Modbus to allow attackers to further attack ICS. This malware is responsible for the outage when The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared information related to an attack targeting a municipal energy company in Lviv.
Researchers did not attribute FrostyGoop to a particular threat actor. The malware was written using Go and other open-source software libraries. The creators of the malware are now being tracked by Dragos as TAT2024-24.
While it’s not particularly sophisticated, experts warn FrostyGoop reveals that attackers continue to focus on once obscure systems and protocols, including those that keep critical infrastructure like electricity and water working.
The attackers are believed to have initially compromised the municipal energy provider’s networks via a vulnerability in a Microtik router. The attackers then spent conducting various tasks to set up the attack, including obtaining user credentials for the energy system. It was also discovered that hours before the incident attackers were connecting to the energy system’s network from Moscow-based IP addresses.
The malware to initiate communication with the target IP address over Modbus TCP port 502. The IP address can be specified either by using an argument during malware execution or by including it in the configuration JSON file. Once a connection is established, FrostyGoop sends Modbus commands to the device. After FrostyGoop sends commands and receives the target device’s responses, the binaries close the connection and exit execution.
FrostyGoop ICS malware capabilities include accepting optional command line execution arguments; using separate configuration files to specify target IP addresses and Modbus commands; communicating with ICS devices via Modbus TCP protocol; sending Modbus commands to read or modify data on ICS devices; and logging output to a console or JSON file.
The attack was launched as Ukraine dealt with a large-scale cyberattack in January that caused issues at the country’s largest oil and gas company and its national post service, among other entities.
The only other hacking unit known to have such an impact on Ukraine’s critical infrastructure is Sandworm, which is run by Russia’s Main Intelligence Directorate military unit. Sandworm has been notorious for taking down Ukraine’s grid multiple times, including most recently in October 2022 when it hacked into an electrical substation.
It’s not often that malware targeting sensitive industrial control networks is discovered. One of the most recent was Pipedream, which experts feared could be the ICS equivalent of Cobalt Strike, a legitimate threat emulation tool that has been co-opted by malicious attackers.
FrostyGoop is the ninth ICS malware discovered to date, after Trisis (Triton), CrashOverride (Industroyer), BlackEnergy2, Havex, Stuxnet, Industroyer2, PipeDream, and Fuxnet.
This research was documented by the researchers from Dragos
Recommendations
- Effective Incidence response
- Defensible Architecture
- Network Monitoring
- Secure Remote Access
- Vulnerability Management
